CVE Request: Linux kernel net/rds max socket length checking

[Marcus Meissner <meissner () suse de>]

Hi,

Kernel memory information leak in the RDS protocol.
(commit also has a testcase)

https://git.kernel.org/?p=linux/kernel/git/torvalds/linux.git;a=commitdiff;h=06b6a1cf6e776426766298d055bb3991957d90a7

Ciao, Marcus

commit 06b6a1cf6e776426766298d055bb3991957d90a7
Author: Weiping Pan <wpan () redhat com>
Date:   Mon Jul 23 10:37:48 2012 +0800

    rds: set correct msg_namelen
    
    Jay Fenlason (fenlason () redhat com) found a bug,
    that recvfrom() on an RDS socket can return the contents of random kernel
    memory to userspace if it was called with a address length larger than
    sizeof(struct sockaddr_in).
    rds_recvmsg() also fails to set the addr_len paramater properly before
    returning, but that's just a bug.
    There are also a number of cases wher recvfrom() can return an entirely bogus
    address. Anything in rds_recvmsg() that returns a non-negative value but does
    not go through the "sin = (struct sockaddr_in *)msg->msg_name;" code path
    at the end of the while(1) loop will return up to 128 bytes of kernel memory
    to userspace.
    
    And I write two test programs to reproduce this bug, you will see that in
    rds_server, fromAddr will be overwritten and the following sock_fd will be
    destroyed.
    Yes, it is the programmer's fault to set msg_namelen incorrectly, but it is
    better to make the kernel copy the real length of address to user space in
    such case.

-- 
Open Linux Security Engineer Position at SUSE: http://bit.ly/Li4RbS